Hacking the Car: Cyber Security Risks Hit the Road

Crashed web sites, stolen credit card info — imagine seeing the damage caused by Internet viruses and worms unleashed on a fleet of vehicles. The results could include vehicle location data used with malicious intent, the prevention of a plug-in vehicle battery from recharging, remote starting of a car, or even — as a disgruntled young former car salesman in Texas has demonstrated this week — stranding drivers with a car that won’t start and a horn that won’t quit.

Here’s what happened in Texas, as Wired and the Austin News report: A terminated employee from a car dealership called the Texas Auto Center logged into the company’s web-based system and was able to remotely wreak havoc on more than 100 vehicles. The dealership’s system is able to disable the starter system and trigger incessant horn honking for customers that have fallen behind on car payments. It’s meant to serve as an alternative to repossessing the vehicle, and the ex-Texas Auto Center employee, arrested Thursday on charges of computer intrusion, was able to set off the horn command at will and make it so drivers couldn’t start their cars.

As Ford’s director of connected services Doug VanDagens told us recently (GigaOM Pro, subscription required), “For electric vehicles, connectivity to the web and data are “required over and above what gas engines require.” Apps can use data — about topography, traffic, battery and vehicle health, infrastructure availability, driving behavior — to help orient drivers in the nascent world of electric mobility, both in and out of their vehicle.

While these tools and technologies could help reduce fuel consumption, make electric vehicles more convenient, and enable utilities to prevent excess strain on the power grid as plug-in cars create new demand, that shift to an increasingly digital transportation system brings with it (as Katie has explained in the context of the smart grid buildout) one of the banes of the Internet: hacking.

The stakes, of course, are very different. Certainly nobody wants a virus on their PC. But the prospect of a hacker seizing control of some aspect of a car — a ton of metal capable of going 60-plus MPH, that costs tens of thousands of dollars, and that maybe has a battery in its belly that requires a sophisticated system of thermal controls — is a far scarier thought.

The potential consequences of cyber attacks on a digital power grid could be similarly frightening. Andy Karsner said back in 2008, when he was with the Department of Energy: “This isn’t the cyber-attacking that you think of just for passwords. This is the capacity to destroy hardware in your home, at airports, at military bases, your car, if its connected through the grid.”

We should note that remote immobilization systems like the one involved in the Austin incident have been in use for a decade or more, and yet we have not seen vehicles crippled en masse by hackers. But companies should realize this could be a sensitive issue among consumers, while both companies and regulators need to recognize risks that go along with the transition to increasingly digital and connected systems for transportation and power.